My domain is domain.tld, where I have DKIM functioning just fine. All of my domain emails are signed, and pass. I have a need now to send mail on behalf of my customers occasionally - ie: send email from john.doe@customers.tld, to sally@customers-customer.tld. I know that I can sign the Email with my domain.tld DKIM key, and it will "pass". But really, any spammer could do this as well, so what value does this provide?

So, is there a value in signing an email that I'm knowingly "spoofing", on behalf of my customer? It seems like there must be because, this is a pretty common practice, but it seems counter intuitive to me. Any documentation, or anything you can point me to would be awesome.

2 Answers
2

It's up to the receiver what he will do with this mail. He could outright reject the mail if it is signed from a domain other than the FROM: field, just use it as a factor to increase the spam score, add a header field or alter the subject line or whatever else someone might come up with.

Just blindly accepting the mail despite the mismatched signature appears certainly counter-productive to me but might be necessary for some sites until DKIM adoption increases further, but I have no idea how GMail and other large adopters actually deal with this.

There are problems with DKIM and verifying the sending server. By signing with your DKIM signature it is possible to be reasonably certain that your server handled the message at some point. You can also be reasonably certain that the message was not changed after that point. This can be important if I present a mail message as evidence. (For instance, I can't change the price offered.)

I find a high percentage of legitimate DKIM signed messages can't be verified because the public keys are not published. (or at least aren't published correctly.) The fact I can find the signing keys provide me with some assurance that the sender is not trying to hide the origin of them message.

Combined with SPF I can rank messages signed higher or lower on the SPAM scale. If you are a permitted sender, I may choose to rank the message higher on the HAM side. Otherwise, I may count the message as more spamish.

A cleaner way of doing the signing is use an address in your domain in the From header, and put the clients address in the Reply-To header. Alternatively, you can put an address from your domain in the Sender header. Either way it becomes possible to match the Envelope sender to an address in the headers. While there is no need for the Envelope sender to be included in the header, some servers will rank you higher on the SPAM scale if it doesn't. In some cases, they may refuse your mail.